[Owasp-leaders] Wiki For Function Injection and Memcached Injection

Matt Tesauro matt.tesauro at owasp.org
Thu Sep 1 16:51:43 UTC 2016


Fady,

While I generally agree with Dave's advice, there's one thing he may not
know since he's had a wiki account, well, almost forever. ; )

The wiki has been, off and on, flooded with bogus account requests starting
in early 2016.  At the peak, we were seeing ~700 account requests per month
with a peak at 966.  Kate has been doing heroic efforts to allow only
legitimate requests through.  The ones that slip through have been SPAM'ing
the wiki, in some cases 250+ new or edited pages.  When multiple SPAM'ers
got through, we had SPAMers editing other SPAMers' pages which breaks the
built-in wiki cleanup tools.  So much so, that I wrote a custom program to
clean up really bad SPAM attacks [1].

So, let me know here that you put in a request for a wiki account after you
confirm your email address per the email sent from the wiki so I can get
you the access you deserve.

FOR THE REST OF YOU:  At least in the near term, please submit the form and
confirm your address THEN submit a ticket in the Contact Us form at
https://www.tfaforms.com/308703 with "IT Support" as your type of help and
tell us what bit you want to edit/add.  That will help us distinguish the
real from the bogus.

I have generally not talked much about this primarily to keep the SPAMer in
the dark in the case they are closely looking at our wiki and mail lists.
However, I'd like to community to know why getting a wiki account isn't as
easy as it once was AND, that we're working on fixing this issue.  I'll be
spending a good chuck of the upcoming US holiday weekend doing updates on
the wiki for this and other reasons.

---------

To try to answer potential questions:

(1) Use anti-automation [something] or a CAPTCHA to remove these requests

These are not normal script kiddie blunt automation attacks.  For the
SPAMer accounts that got through, they submitted a request, verified an
email address, and submitted a "Contact Us' request asking for their
account to be approved.  These include getting past a CAPTCHA.  They also
directly emailed Kate, myself, webmaster at owasp.org, admin at owasp.org at
various times and for various accounts.

Also, we're asking for a short bio now when you request a wiki account.
These request aren't just "asdf" or random text for the bios but decently
written and legit sounding bios that are unique per request like this
SPAMer example:

Hi my name is Trilok Sharma. I am a software professional with more than 10
years of desktop , web and mobile application development experience. i
have completed many of the projects. I have expertise in c , c++ , Java ,
microsoft .net , java script , HTMl , CSS and object reporting technologies
. i want to create a comutiny for active and well skilled software
professionals. I have purchased a membership account also. kindly create my
account. Thanking you.


I suspect that the submissions are done by 'wet-ware' aka humans where
labor costs are low enough to make this effective.  BTW, Trilok Sharma is
not a paid OWASP member - big surprise. ;)

(2) Why?

I'm not 100% sure on this one.  They have been adding SPAM about Quickbooks
support services.  Since we average between 7.5 and 8 million hits per week
on the wiki, so I suspect SPAM on our wiki gives them lots of Google Foo as
far as the search engine is concerned.

(3) Don't they just move to the next target once we stop approving their
accounts and or start monitoring for SPAM more closely?

It kinda looks like we might be at that point.  The velocity of requests is
starting to slow down but is still much higher then 'normal'.  There have
been fewer SPAM cleanups - last one was in early August.  I don't have a
handle on the value of SPAM'ing our wiki which is a good proxy on how much
pain we need make their interactions with before they move on.

However, I can say two things about this SPAM'ing effort:

They are patient.  I've seen accounts that got approved stay dormant for
weeks before 'waking up' and SPAM'ing the wiki.

They are persistent.  I've see an account sit dormant for a week, wake up
and start SPAM'ing, then have the SPAM content removed.  After removing the
SPAM, I notices HEAD requests for the URL of the SPAM page which 404 after
removal.  About 2 hours after they start 404'ing, a new SPAM'er account
wakes up and starts SPAM'ing.

---------

So, we're working on this and trying to find the right amount of scrutiny
to place on requests before they get approved.  This may slow you down a
bit.  We're sorry about that and we're actively working on getting things
shored up to remove that slow-down.

Cheers!

[1]
https://github.com/mtesauro/random-docs/tree/master/scripts/mediawiki/spam-cleanup

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Thu, Sep 1, 2016 at 9:34 AM, Dave Wichers <dave.wichers at owasp.org> wrote:

> Fady,
>
> That's it. Just request an account on the wiki and it should be approved
> in short order and then you can create whatever pages your want and edit
> existing pages as well. 99% of what's on the OWASP wiki is publicly
> editable by anyone with a wiki account.  And once you have the new pages
> ready for release, let us all know about them and ask for a quick
> review/sanity check.
>
> Thanks for offering to contribute.
>
> -Dave
>
>
> On Thu, Sep 1, 2016 at 9:58 AM, Fady Othman <fady.othman at owasp.org> wrote:
>
>> Dears,
>>
>> I was discussing "function injection" with a friend of mine who brought
>> to my attention that a "function injection" page doesn't exist in OWASP
>> website.
>>
>> I also found that there's no "memcached injection" page.
>>
>> I can work on both pages if you want but I don't know the steps, should I
>> simply send a request to sign up for the wiki or is it more complicated
>> than that?
>>
>> Thanks,
>>
>> Fady Othman
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160901/6f1348d2/attachment-0001.html>


More information about the OWASP-Leaders mailing list